Hi Anthony,
Without native character and path normalization functionality (or user-defined functions?) in iRules, I don't think it's a good idea to try to use iRules to perform HTTP security validation. It's quite simple to bypass most iRule URI validation with encoding/directory traversal attacks. See this post for details:
http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&tpage=1&view=topic&postid=3090031324
ASM can definitely provide good validation and protection. But I don't think iRules should be depended on for now for this scenario.
Aaron